BlackMatter & Haron – newborns or rebirths? / Apple urgent update / UBEL is the NEW Oscorp

Last week, the industry media reported on spectacular debuts or rebirths in the cybercriminal world. Do you remember our news from two weeks ago about the end of REvil? Well, we advised you to hold on with popping the champagne … The celebration was interrupted by the news about the emergence of two ransomware groups on the market – BlackMatter and Haron, which may turn out to be successors of REvil and Avaddon. And it’s not the end of big returns – Oscorp Android malware stealing data and funds from banking apps came back even stronger in a form of UBEL botnet. 

What else? If Apple calls for urgent updating of most devices just one week after a series of patches, know something is happening. In addition – a critical Hyper-V vulnerability, which received the infamous rating of 9.9 on a ten-grade threat scale!

BlackMatter & Haron: new ransomware groups or REvil and Avaddon successors?

Do you remember our news from two weeks ago about the end of REvil? We ended up with the words that we wouldn’t pop the champagne and celebrate so fast… 

Two new ransomware-as-service (RaaS) programs have appeared on the threat radar – BlackMatter and Haron. 

They’re both claiming to be focused on targets with deep pockets that can pay ransoms in the millions of dollars. They’re also virtue-signaling a la DarkSide, with similar language about sparing hospitals, critical infrastructure, nonprofits, etc.

BlackMatter even claims to be REvil and DarkSide successor incorporating the best features of DarkSide, REvil, and LockBit. 

According to Flashpoint, the BlackMatter threat actor registered an account on Russian-language forums XSS and Exploit on July 19, quickly following it up with a post stating they are looking to purchase access to infected corporate networks comprising anywhere between 500 and 15,000 hosts in the U.S., Canada, Australia, and the U.K. and with revenues of over $100 million a year, potentially hinting at a large-scale ransomware operation. On July 27, the group is said to have begun actively recruiting partners and affiliates using Exploit forum’s Jabber server to promulgate their recruitment message.

The emergence of BlackMatter coincides with the demise of DarkSide and REvil in the wake of highly publicized ransomware incidents of Colonial Pipeline, JBS, and Kaseya, raising speculations that the groups may eventually rebrand and resurface under a new identity.

Haron group’s first sample of malware was submitted to VirusTotal on July 19. Three days later, the South Korean security firm S2W Lab reported on the group in a post that laid out similarities between Haron and Avaddon. What similarities? Their ransom notes look like a cut-and-paste job, negotiation sites have nearly identical verbiage and appearances. Chunks of open-source JavaScript code used for chat are identical and two leak sites share the same structure. 

So are those groups newborns or rebirths? Time will tell. One is sure – companies with deep pockets, watch out! 

Sources 1 | 2

Urgently update your iPhone, iPad, and Mac. Right now!

Apple on Monday patched a zero-day vulnerability in its iOS, iPadOS, and macOS operating systems, only a week after issuing a set of OS updates addressing about three dozen other flaws. The company urges users to immediately install updates to fix a critical memory corruption flaw that can allow attackers to execute arbitrary code with kernel privileges and take over a system.

The flaw tracked as CVE-2021-30807, is found in the IOMobileFrameBuffer extension which exists in both iOS and macOS, but has been fixed according to a specific device platform. So here we have three new updates – iOS 14.7., iPadOS 14.7.1, and macOS Big Sur 11.5.1.

While this update contains bug fixes, the main part of this update is a security fix for a vulnerability that Apple says “may have been actively exploited.” So read between the lines – the bad guys are already using it. 

Apple did not, however, say who might be involved in the exploitation of this bug. Nor did the company respond to a query about whether the bug has been exploited by NSO Group’s Pegasus surveillance software.

iOS devices that should be updated immediately are: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

To update your iPhone and iPad, go to Settings > General > Software Update and download and install any available updates.

Sources 1 2

UBEL is the New Oscorp – Android malware that wants to hijack your banking credentials

An Android malware that was observed abusing accessibility services in the device to hijack user credentials from European banking applications has morphed into an entirely new botnet as part of a renewed campaign that began in May 2021

Oscorp was disclosed by Italy’s CERT-AGID in late January. The mobile malware is developed to attack multiple financial targets to steal funds. It can intercept SMS messages, make phone calls, and carry out overlay attacks for more than 150 mobile applications. How? By making use of lookalike login screens to siphon valuable data.

The malware was distributed through malicious SMS messages. The attacks were often conducted in real-time by posing as bank operators to dupe targets over the phone and surreptitiously gain access to the infected device via WebRTC protocol and ultimately conduct unauthorized bank transfers.

Now it looks like Oscorp may have staged a return after a temporary hiatus in the form of an Android botnet named UBEL.

According to Italian cybersecurity company Cleafy, Oscorp and UBEL have the same malicious codebase, suggesting a fork of the same original project or just a rebrand by other affiliates. 

Advertised on dark forums for $980, UBEL, like its predecessor, requests for intrusive permissions that allows it to read and send SMS messages, install and delete applications, record audio, launch itself automatically after system boot, and abuse accessibility services on Android to collect sensitive information. Such as login credentials and 2FA codes, the results of which are exfiltrated back to a remote server.

Once downloaded on the device, the malware attempts to install itself as a service and hide its presence, and achieve persistence for a long time.

Interestingly, the use of WebRTC to interact with the compromised Android phone in real-time circumvents the need to enroll a new device and take over an account to perform fraudulent activities.

Oscorp targets banks and apps in Spain, Poland, Germany, Turkey, the U.S., Italy, Japan, Australia, France, and India, among others, according to the report.


Critical 9.9/10 flaw in Microsoft Hyper-V could allow RCE and DoS

Researchers Peleg Hadar of SafeBreach and Ophir Harpaz of Guardicore disclosed details about a critical flaw in Microsoft Hyper-V. Tracked as CVE-2021-28476, it can allow triggering a DoS condition or executing arbitrary code on it.

The flaw resides in Microsoft Hyper-V’s network switch driver (vmswitch.sys), and affects Windows 10 and Windows Server 2012 through 2019. It has a critical severity score of 9.9 out of 10 and it was addressed by Microsoft in May. 

According to the advisory published by the company “this issue allows a guest VM to force the Hyper-V host’s kernel to read from an arbitrary, potentially invalid address. The contents of the address read would not be returned to the guest VM. In most circumstances, this would result in a denial of service of the Hyper-V host (bugcheck) due to reading an unmapped address. It is possible to read from a memory mapped device register corresponding to a hardware device attached to the Hyper-V host which may trigger additional, hardware device specific side effects that could compromise the Hyper-V host’s security.”. 

Switch driver vmswitch fails to validate the value of an object identifier OID request that is intended for a network adapter. An attacker could send a specially crafted packet from a guest virtual machine to the Hyper-V host to exploit this vulnerability. 

To learn more about this flaw and download the security update, visit Microsoft advisory


Do you have thirst for knowledge? There is ten more cybersecurity stories below

  1. LockBit ransomware now encrypts Windows domains using group policies (Bleeping Computer)
  2. Hackers posed as aerobics instructors for years to target aerospace employees (The Hacker News)
  3. Serious Vulnerabilities Found in Firmware Used by Many IP Camera Vendors (Security Week)
  4. eBay ex-security boss sent down for 18 months for cyber-stalking, witness tampering (The Register)
  5. Zimbra Server bugs could lead to email plundering (Threat Post)
  6. Babuk Ransomware gang ransomed, new forum stuffed with porn (Threat Post)
  7. New Android malware uses VNC to spy and steal passwords from victims (The Hacker News)
  8. Booking your next holiday? Watch out for these Airbnb scams (We Live Security)
  9. Cisco researchers spotlight Solarmarker malware (ZDNet)
  10. Six malicious Linux Shell scripts used to evade defenses and how to stop them (Threat Post)